Skip to main content


Ensure State Provisions Are Included In Your Privacy Policies and Procedures

June 26, 2019 5484

CDA recommends members who are HIPAA-covered entities obtain the ADA Practical Guide to HIPAA Compliance for its comprehensive collection of templates for forms and written policies and procedures. When customizing the templates for use by the practice, make certain you include the following state requirements.

Time allowed to provide patient with access to records

California allows 15 days to provide a copy and five working days for inspection. HIPAA allows 30 days. You must comply with the shorter term.

Patient request to amend record

Patient requests to amend a record are uncommon in dental practices, but a HIPAA-covered entity must have policies and procedures for addressing these requests. Both HIPAA and state law provide patients the right to request amendments to their records. However, the laws differ in how a health care provider can respond to such a request. Ideally, a discussion with the patient regarding an amendment should be done prior to the initiation of the amendment process. Once a written request for amendment is submitted, the dentist must respond.

California law simply allows a patient to add a statement to the record. A patient amendment can be no longer than 250 words for each item that is believed to be incomplete or inaccurate. The health care provider must include a patient amendment in the record. Except for an emancipated minor, a minor patient does not have the right to amend his or her record.

Under HIPAA, a patient submits a request to the covered entity to amend the record. The health care provider can require a written request be submitted and that the patient provide a reason for the amendment. The provider should respond within 60 days of receiving the request but may have another 30 days if the extension is requested in advance from the patient.

Refer to the ADA guide to learn more about HIPAA’s requirements for responding to a patient request to amend a record.

Permissible uses and disclosures of patient information not requiring patient authorization

In general, HIPAA allows a covered entity to use or disclose patient information for treatment, payment and business operations. California law, however, defines the unauthorized access of patient health information as those uses not for the purpose of diagnosis or treatment or as otherwise allowed by law. The allowed uses are included in California Civil Code Section 56.10. In summary, a patient’s information may be provided with certain limitations and without patient authorization only to:

  • Other health care providers for treatment of the patient;
  • Third-party payers to collect payment for the patient’s care;
  • Certain entities for review in liability, arbitration, peer review, quality assurance, quality assessment or medical necessity cases;
  • Appropriate accrediting and licensing entities in specific circumstances;
  • County coroners and public health departments for official purposes;
  • Appropriate entities for bona fide educational or research purposes;
  • Courts upon court order, law enforcement with search warrants or other government entities with orders pursuant to their respective legal authority; and
  • Others as allowed or required by law.

Therefore, the disclosure of patient information for business operations that are not included in Section 56.10, such as collections or practice sale, should not occur unless the practice has obtained patient authorization for the disclosure. A patient’s signed acknowledgment of receipt of a notice of privacy practices that lists these business operations is not the same as patient authorization for disclosure.

Consent for use or disclosure of patient information

Any form used by a HIPAA-covered entity to obtain authorization to use or disclose patient information must be in 14-pt type. A covered entity may also honor a request handwritten by the patient or patient’s legal representative and should attempt to obtain an expiration date or event for the authorization.

Breach notification

California requires notification of individuals and others when there is a breach of unencrypted, computerized information that has a person’s first name or first initial and last name in combination with any of the following:

  • Social Security number;
  • Driver’s license number of California identification card number; or
  • Account number, credit/debit card number, in combination with any required security code, access code or password that would allow access to the person’s financial account.
  • Medical information is defined as “any information regarding an individual’s medical history, mental or physical condition or medical treatment or diagnosis by a health care professional”;
  • Health insurance information is defined as “an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual’s application and claims history, including any appeals records.”
  • A username or email address in combination with a password or security question and answer that would permit access to an online account.

The CDA resource Data Breach Notification Requirements” can be included in a dental practice’s policies and procedures.

Comments are only visible to subscribers.